Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-44611
Publication date:
29/05/2026
Danelec MacGregor Voyage Data Recorder<br /> passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-44648
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44649
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44650
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-44651
Publication date:
29/05/2026
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends:<br /> res.status(500).send(&amp;#39;Error occurred while trying to proxy to: &amp;#39; + url + &amp;#39; &amp;#39; + error). The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering. This vulnerability is fixed in 1.18.0.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-40425
Publication date:
29/05/2026
The administrator account for the<br /> <br /> Danelec MacGregor Voyage Data Recorder<br /> web interface can directly edit sensitive files related to authentication, potentially changing the root password.
Severity CVSS v4.0: MEDIUM
Last modification:
29/05/2026

CVE-2026-42929
Publication date:
29/05/2026
Danelec MacGregor Voyage Data Recorder<br /> includes default accounts with hard-coded credentials.
Severity CVSS v4.0: HIGH
Last modification:
29/05/2026

CVE-2026-42941
Publication date:
29/05/2026
The Danelec MacGregor Voyage Data Recorder<br /> <br /> device includes a default username and password, with no enforced password change.
Severity CVSS v4.0: HIGH
Last modification:
29/05/2026

CVE-2026-6824
Publication date:
29/05/2026
A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-7786
Publication date:
29/05/2026
Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter<br /> device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-5386
Publication date:
29/05/2026
The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026

CVE-2026-5768
Publication date:
29/05/2026
The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2026
Subscribe to Vulnerabilities